Security Breach
Law enforcers, too, fail as perpetrators usually operate from foreign shores and use 'jurisdictional arbitrage' - which means operating from jurisdictions with lax laws such as Africa and Eastern Europe - to get away.
- Apr 7, 2016,
- Updated Apr 7, 2016 9:22 PM IST
Last year, Saudi Aramco, which buys naphtha from ONGC, received an e-mail asking it to deposit Rs 100 crore for its latest purchase in a new bank account with Bangkok Bank Public Company Ltd instead of the usual State Bank of India account. The Saudi Arabia-based company did so in September. Same month, it deposited another Rs 97 crore in the new account for the same deal. But ONGC never got the money.
Suprabhat N.M., who leads the forensic services practice at Protiviti India, a global consulting firm, was entrusted with investigation into a case where a Coimbatore-based textile exporter was defrauded. One of the company's Brazilian buyers was coaxed by cybercriminals into transferring a payment to a bank account in Poland instead of the regular Singapore account.
Suprabhat's investigation helped the company track the local person who unwittingly helped the criminals by parting with the company's e-mail id and client details. His team could not recover the money. He says it is difficult to even trace the account after the fraud has been committed.
Suprabhat says there were 10 more such cases in Coimbatore alone around that time. Usually, it is the smaller companies that fall prey to such tricks, as they do not have the resources to build robust cyber security systems. Arpinder Singh, Partner & National Leader, Fraud Investigation & Dispute Services, E&Y, says, "In cyber fraud cases where money has gone out of the country, our experience says there's less than 10 per cent probability of recovery. At times it's not worth pursuing the case as you have to do it across jurisdictions, sometimes in different continents. Most of the time companies give up."
A report by computer security software company McAfee puts annual loss to the global economy due to cybercrime at $400 billion in 2014. This was 0.8 per cent of global gross domestic product or GDP. The report puts India's loss at 0.21 per cent of GDP (low as per the report), though many other reports have warned the country about these losses. A 2013 Symantec report had called India the ransomware capital of Asia Pacific.
The conviction rate also paints a bleak picture. According to the National Crime Records Bureau of India, out of 9,622 cases registered in 2014, just 0.7 per cent, or 72, ended in conviction.
These are just the reported cases. The number of unreported cases would be much more as a lot of frauds involving companies are not reported due to fear of loss of reputation. "A bank would not report a breach unless it is big. Why would it risk its image by telling everyone that its security has been breached?" says a cybercrime expert with the Enforcement Directorate.
India's laws also do not require companies to report these incidents, says Nandkumar Saravade, CEO, Data Security Council of India, a premier industry body on data protection set up by NASSCOM, the information technology industry's representative body.
Even when complaints are lodged, it is rare for criminals to be brought to justice. "The attackers are always remote. They use jurisdictional arbitrage. They know which geographies have lax laws, and that law enforcement agencies will focus only on problems in their jurisdictions. If someone is quietly operating from one area and attacking someone in another, law enforcement agencies in the latter have no reason to go after him. And the coordination among enforcement agencies of different states, forget about nations, is inadequate," says Saravade.
Anyesh Roy, DCP, Cyber Cell, Economic Offences Wing (EOW), Delhi Police, says in most cases money is diverted to a foreign country. "If the country where the money has been siphoned off has a sound law and order system, the case can be pursued there. We have seen that the enforcement agencies of such countries do respond to our queries even if the response may come a little late."
"The traditional mechanism for international cooperation, the Mutual Legal Assistance Treaty, takes a long time, at least one year and more. But in cyber crime, if you do not act fast, the evidence is gone"
However, the response may not be adequate. Often, coordination takes so long that both evidence and money disappear. "The traditional mechanism for international cooperation is the Mutual Legal Assistance Treaty or MLAT. But the process under MLAT takes a long time - at least one year and more. But in cybercrime, if you don't act fast, the evidence is gone. MLAT is not of much use," says Saravade. In order to expedite the flow of information and act quickly, a Convention on Cybercrime was formed in 2001. Many, including the US, European Council, Canada, Japan and South Africa, joined.
India is yet to become a signatory. "Joining it has been one of the demands of industry. Without this, the cooperation we get is rudimentary. This works in favour of criminals," says Saravade.
While international coordination remains a far cry, are local law enforcement agencies equipped to deal with cybercrime? Recently, the Delhi Police said that each police station would have one sub-inspector and two constables to help the station house officer in cybercrime cases.
"We have a cyber lab where we have hired people from technology background (B Tech and MCA). Besides, we take the services of CERT-IN software systems. Unofficially, of course, we also take help from technology guys," says Roy of Delhi Police's EOW.
But Delhi Police is probably one of the most well-equipped police forces in the country. In other states, things are much worse. "Earlier, the police (in other states) were setting up cybercrime cells at district headquarters levels. That time is gone. We now need to go to the police station level," says Saravade.
Last year, Saudi Aramco, which buys naphtha from ONGC, received an e-mail asking it to deposit Rs 100 crore for its latest purchase in a new bank account with Bangkok Bank Public Company Ltd instead of the usual State Bank of India account. The Saudi Arabia-based company did so in September. Same month, it deposited another Rs 97 crore in the new account for the same deal. But ONGC never got the money.
Suprabhat N.M., who leads the forensic services practice at Protiviti India, a global consulting firm, was entrusted with investigation into a case where a Coimbatore-based textile exporter was defrauded. One of the company's Brazilian buyers was coaxed by cybercriminals into transferring a payment to a bank account in Poland instead of the regular Singapore account.
Suprabhat's investigation helped the company track the local person who unwittingly helped the criminals by parting with the company's e-mail id and client details. His team could not recover the money. He says it is difficult to even trace the account after the fraud has been committed.
Suprabhat says there were 10 more such cases in Coimbatore alone around that time. Usually, it is the smaller companies that fall prey to such tricks, as they do not have the resources to build robust cyber security systems. Arpinder Singh, Partner & National Leader, Fraud Investigation & Dispute Services, E&Y, says, "In cyber fraud cases where money has gone out of the country, our experience says there's less than 10 per cent probability of recovery. At times it's not worth pursuing the case as you have to do it across jurisdictions, sometimes in different continents. Most of the time companies give up."
A report by computer security software company McAfee puts annual loss to the global economy due to cybercrime at $400 billion in 2014. This was 0.8 per cent of global gross domestic product or GDP. The report puts India's loss at 0.21 per cent of GDP (low as per the report), though many other reports have warned the country about these losses. A 2013 Symantec report had called India the ransomware capital of Asia Pacific.
The conviction rate also paints a bleak picture. According to the National Crime Records Bureau of India, out of 9,622 cases registered in 2014, just 0.7 per cent, or 72, ended in conviction.
These are just the reported cases. The number of unreported cases would be much more as a lot of frauds involving companies are not reported due to fear of loss of reputation. "A bank would not report a breach unless it is big. Why would it risk its image by telling everyone that its security has been breached?" says a cybercrime expert with the Enforcement Directorate.
India's laws also do not require companies to report these incidents, says Nandkumar Saravade, CEO, Data Security Council of India, a premier industry body on data protection set up by NASSCOM, the information technology industry's representative body.
Even when complaints are lodged, it is rare for criminals to be brought to justice. "The attackers are always remote. They use jurisdictional arbitrage. They know which geographies have lax laws, and that law enforcement agencies will focus only on problems in their jurisdictions. If someone is quietly operating from one area and attacking someone in another, law enforcement agencies in the latter have no reason to go after him. And the coordination among enforcement agencies of different states, forget about nations, is inadequate," says Saravade.
Anyesh Roy, DCP, Cyber Cell, Economic Offences Wing (EOW), Delhi Police, says in most cases money is diverted to a foreign country. "If the country where the money has been siphoned off has a sound law and order system, the case can be pursued there. We have seen that the enforcement agencies of such countries do respond to our queries even if the response may come a little late."
"The traditional mechanism for international cooperation, the Mutual Legal Assistance Treaty, takes a long time, at least one year and more. But in cyber crime, if you do not act fast, the evidence is gone"
However, the response may not be adequate. Often, coordination takes so long that both evidence and money disappear. "The traditional mechanism for international cooperation is the Mutual Legal Assistance Treaty or MLAT. But the process under MLAT takes a long time - at least one year and more. But in cybercrime, if you don't act fast, the evidence is gone. MLAT is not of much use," says Saravade. In order to expedite the flow of information and act quickly, a Convention on Cybercrime was formed in 2001. Many, including the US, European Council, Canada, Japan and South Africa, joined.
India is yet to become a signatory. "Joining it has been one of the demands of industry. Without this, the cooperation we get is rudimentary. This works in favour of criminals," says Saravade.
While international coordination remains a far cry, are local law enforcement agencies equipped to deal with cybercrime? Recently, the Delhi Police said that each police station would have one sub-inspector and two constables to help the station house officer in cybercrime cases.
"We have a cyber lab where we have hired people from technology background (B Tech and MCA). Besides, we take the services of CERT-IN software systems. Unofficially, of course, we also take help from technology guys," says Roy of Delhi Police's EOW.
But Delhi Police is probably one of the most well-equipped police forces in the country. In other states, things are much worse. "Earlier, the police (in other states) were setting up cybercrime cells at district headquarters levels. That time is gone. We now need to go to the police station level," says Saravade.